Security tweaks for heimdall

This commit is contained in:
Erwin Boskma 2023-04-10 23:27:31 +02:00
parent 3b4014b2f8
commit 02874f0e50
Signed by: erwin
SSH key fingerprint: SHA256:9LmFDe1C6jSrEyqxxvX8NtJBmcbB105XoqyUZF092bg

View file

@ -76,9 +76,20 @@
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
services.openssh.enable = true; services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
};
};
services.tailscale.enable = true; services.tailscale.enable = true;
security.apparmor = {
enable = true;
killUnconfinedConfinables = true;
};
security.protectKernelImage = true;
# sops.defaultSopsFile = ./secrets.yaml; # sops.defaultSopsFile = ./secrets.yaml;
# sops.secrets = { # sops.secrets = {
# wireguard_key = { }; # wireguard_key = { };